[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xacml] Section B.6 - Resource attributes
On 27 July, Tim Moses writes: RE: [xacml] Section B.6 - Resource attributes > 1. "In the former case, the attribute identifier SHALL appear in the > ResourceAttributeDesignator> element." > > I only included this sentence as a counterpart to the earlier sentence: "The > corresponding attributes MAY appear in the <Resource> element of the request > context". You are right; it's redundant. I'll take it out. > > 2. OK. I'll remove any restriction on the type of resource-id. > > 3. I'll drop the xpath attribute. > > 4. I'll add the document-id attribute. Can we say anything about this > attribute and what it might contain? The document-id attribute is defined in the Hierarchical Resources Profile. It will be included in Section 6 "New attribute identifiers for hierarchical resources", but is currently only defined Section 3.1 "Notes in an XML document" after the "Additional attributes MAY be included ..." paragraph. I don't know if we want to define this also in the core XACML spec. > How about this? ... > > Draft 13 > > These identifiers indicate attributes of the resource. The corresponding > attributes MAY appear in the <Resource> element of the request context and > be accessed by means of a <ResourceAttributeDesignator> element, or by an > <AttributeSelector> element that points into the <Resource> element of the > request context. > This attribute identifies the contents of the > <xacml-context:ResourceContent> element. > urn:oasis:names:tc:xacml:1.0:resource:document-id The Hierarchical resources profile says the following: The <AttributeValue> of this <Attribute> SHALL be a URI that identifies the XML document of which the requested resource is a part. This <Attribute> MAY specify an Issuer. If you also define document-id in the core spec, then I think it should mention that the DataType SHALL be &xml;anyURI. > This attribute identifies the resource to which access is requested. Note: > the resource to which access is requested may not be the same as the > resource supplied in the <xacml-context:ResourceContent> element. I think I would say something like, "If an <xacml-context:ResourceContent> element is provided, then the resource to which access is requested SHALL be all or a portion of the resource supplied in the <xacml-context:ResourceContent> element." Anne > urn:oasis:names:tc:xacml:1.0:resource:resource-id > This attribute identifies the namespace of the top element of the contents > of the <xacml-context:ResourceContent> element. In the case where the > resource content is supplied in the request context and the resource > namespace is defined in the resource, the PDP SHALL confirm that the > namespace defined by this attribute is the same as that defined in the > resource. The type of the corresponding attribute SHALL be > "http://www.w3.org/2001/XMLSchema#anyURI". > urn:oasis:names:tc:xacml:2.0:resource:target-namespace > > > > > -----Original Message----- > From: Anne Anderson [mailto:Anne.Anderson@Sun.COM] > Sent: Tuesday, July 27, 2004 11:26 AM > To: Tim Moses > Cc: 'XACML' > Subject: Re: [xacml] Section B.6 - Resource attributes > > > On 27 July, Tim Moses writes: [xacml] Section B.6 - Resource attributes > > Colleagues - Some proposed changes to Section B.6. Any comments? All the > > best. Tim. > > > Draft 13 > > > > These identifiers indicate attributes of the resource. The corresponding > > attributes MAY appear in the <Resource> element of the request context and > > be accessed by means of a <ResourceAttributeDesignator> element, or by an > > <AttributeSelector> element that points into the <Resource> element of the > > request context. In the former case, the attribute identifier SHALL > appear > in the <ResourceAttributeDesignator> element. > > I don't understand why the last sentence is needed. If the attribute is in > the <Resource> element and is accessed by means of a > <ResourceAttributeDesignator> element, doesn't that mean the attribute > identifier must by definition appear in the <ResourceAttributeDesignator> > element? > > > This identifier indicates the URI of the resource. The type of the > > corresponding attribute SHALL be "http://www.w3.org/2001/XMLSchema#anyURI". > > urn:oasis:names:tc:xacml:1.0:resource:resource-id > > The Hierarchical Resource Profile for XML resources proposes that the > DataType of the resource-id be "xpath-expression", identifying the specific > node of the resource that is being requested. In this case, the optional > "document-id" resource Attribute can be used to hold the URI of the entire > XML document. > > I think Daniel also objected to forcing resource-id to be a URI. Or maybe it > was just a URI conforming to my proposed hierarchical URI scheme :-) > > So is there a reason resource-id must be a URI? > > > This identifier indicates the name-space of the top element of the > resource. > In the case where the resource content is supplied in the > request context > and the resource namespace is defined in the resource, > the PDP SHALL confirm > that the namespace defined by this attribute is the > same as that defined in > the resource. The type of the corresponding > attribute SHALL be > "http://www.w3.org/2001/XMLSchema#anyURI". > > urn:oasis:names:tc:xacml:2.0:resource:target-namespace > > > This identifier indicates an xpath expression whose context node is the > > <xacml-context:Request> element. This attribute SHALL only appear in the > > <ResourceAttributeDesignator> element. The type of the corresponding > > attribute SHALL be > > "urn:oasis:names:tc:xacml:2.0:data-type:xpath-expression". > > urn:oasis:names:tc:xacml:2.0:resource:xpath > > I proposed that we drop the "xpath" Attribute, since there is no need for it > with the Hierarchical Resource Profile. "resource-id" in that case will > contain the xpath expression pointing to the requested node. > > Note that the reason for putting the xpath-expression pointing to the > requested node into the "resource-id" Attribute is so that the Response > <Result> ResourceId XML attribute can copy the resource-id Attribute and > have it be an unambiguous reference to the node to which the <Result> > corresponds. > > Anne > -- > Anne H. Anderson Email: Anne.Anderson@Sun.COM > Sun Microsystems Laboratories > 1 Network Drive,UBUR02-311 Tel: 781/442-0928 > Burlington, MA 01803-0902 USA Fax: 781/442-1692 -- Anne H. Anderson Email: Anne.Anderson@Sun.COM Sun Microsystems Laboratories 1 Network Drive,UBUR02-311 Tel: 781/442-0928 Burlington, MA 01803-0902 USA Fax: 781/442-1692
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]